The Lazarus Group is a notorious North Korean state-sponsored hacking organization known for:-
- Cyber espionage
- Financial Theft
- Destructive attacks
They have been implicated in high-profile incidents, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware outbreak.
Cybersecurity researchers at Cisco Talos recently found Lazarus Group’s “Operation Blacksmith” using new DLang-based malware to attack organizations across the globe.
Blacksmith operation exploits Log4Shell (CVE-2021-44228) and deploys a new DLang RAT via Telegram for C2 communication.
Three families were discovered, including:-
- Telegram-based RAT “NineRAT”
- Non-Telegram RAT “DLRAT”
- Downloader “BottomLoader”
Technical analysis
NineRAT operates through Telegram for C2, including commands and file transfers. Lazarus uses Telegram for stealth.
It comprises a dropper with two embedded components:-
- An instrumentor (nsIookup.exe)
- A second component for persistence (Execute by the first component.)
NineRAT, the main interaction method on infected hosts, coexists with previous tools like HazyLoad for sameness. Lazarus ensures persistent access with overlapping backdoor entries.
Telegram C2 channels led to the discovery of a public bot, “[at]StudyJ001Bot,” which was later replaced by Lazarus-owned bots. Despite the switch, older NineRAT samples still use open channels, reads the report.
Anadriel, active since 2022, employs two API tokens, one publicly listed, interacting with Telegram via DLang-based libraries.
Besides this, the NineRAT tests authentication and handles file upload/download through Telegram methods. Not only that but even from the system using a BAT file, the NineRAT can also uninstall itself.
NineRAT led to the discovery of two more Lazarus DLang-based malware families. BottomLoader, a downloader, downloads payloads via a PowerShell command and creates persistence.
DLRAT, a downloader, and RAT that executes commands, performs system reconnaissance, and communicates with C2 using a hardcoded session ID.
The attack exploits CVE-2021-44228 (Log4Shell) on public-facing VMWare Horizon servers for initial access, deploying a custom implant after reconnaissance.
IOCs
Hashes
HazyLoad
- 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
NineRAT
- 534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
- ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4
- 47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
- f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59
- 5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541
- 82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def
BottomLoader
- 0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f
DLRAT
- e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f
- 9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a
Network IOCs
- tech[.]micrsofts[.]com
- tech[.]micrsofts[.]tech
- 27[.]102[.]113[.]93
- 185[.]29[.]8[.]53
- 155[.]94[.]208[.]209
- 162[.]19[.]71[.]175
- 201[.]77[.]179[.]66
- hxxp://27[.]102[.]113[.]93/inet[.]txt
- hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif
- hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php
- hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif
- hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif